oData is just a way to expose structured data through an open API. It does not requre any particular form of security; it’s possible to have fully open datasets (like a wiki database) or world-readable-but-private-writeable (such as a database of votes by members of Congress, so anyone can read it but only you can update it). It also supports more complex security structures (such as a video rental store allowing customers to query only their own history).

Regarding your specific concerns:

• SQL injection is simply not possible if you’re using the ADO.NET Data Services as your oData server. The incoming oData request is parsed and then passed to an IQueryable, which properly escapes all values.
• The business layer / data layer validation remains the same. oData just provides an API for the data layer (or business layer, if it looks databaseish).
• Unauthorized access to data isn’t possible unless you allow it. The default for ADO.NET Data Services is to not allow any access (even read-only access), so that forces you to explicitly authorize all access.
• The “raw dump” scenario is exactly why oData is so useful! It’s a protocol that allows efficient querying of data sources over the web, instead of depending on fragile screen scraping “solutions”. If you don’t want someone to get the information, don’t publish it.

Right now (to my knowledge), ADO.NET Data Services is the only oData provider available, and it’s secure by default. I suppose that someone else could write an oData provider that wasn’t secure by default or allowed SQL injection, but that would be foolish.

Also, remember that oData is completely divorced from the concept of authentication. It’s up to you to use whatever authentication makes sense for your API. There’s a great recent series of blog posts from the WCF team that address how oData works with various forms of authentication.